I'm working on a search over our Windows events to analyze the changes to permissions on files and directories:
index=wineventlog sourcetype="XmlWinEventLog:Security" (EventID=4670 OR EventID=4907) AND ObjectType="File"
A security descriptor (specifying the access rights) is part of these events and looks like this:
In the reports and alerts I want to translate this to something a bit more readable. I have a powershell script which does exactly this and I would like to incorporate this into my search. Is this possible and how can I do this?